MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

PDF

MACsec state reflection on line protocol

Updated: June 9, 2026

Want to summarize with AI?

Log in

Explains how MACsec state reflections allow interface line protocols to mirror the state of the MACsec session, enabling rapid failure detection and preventing silent traffic loss.

MACsec state reflection on line protocol is a network feature that:

  • synchronizes the interface line protocol state with the MACsec Key Agreement (MKA) session state,

  • transitions the line protocol to Down when the MACsec session is not secured and the security policy is set to must-secure, thereby preventing upper-layer protocols from using the interface and avoiding traffic blackholing, and

  • enables faster failure detection by upper-layer protocols such as LACP and BGP, allowing rapid convergence and traffic rerouting.

In long-haul or complex deployments, connectivity failures can occur at intermediate devices without impacting the local physical interface state. As a result, the interface may remain Up while the MKA session times out and goes down. More generally, the MACsec session can become unsecured due to intermediate network failures, configuration issues, or other connectivity issues.

By reflecting MACsec session state in line protocol state, the interface line protocol is transitioned to Down when the session is not secured, allowing upper-layer protocols to immediately detect failure and reroute traffic. When the session becomes secured, the line protocol is restored to Up. For bundle member interfaces, this ensures the interface is no longer active for forwarding when the line protocol is Down and is restored to active membership after the line protocol returns to Up, subject to bundle mode and convergence.

Table 1. Feature History Table

Feature Name

Release Information

Feature Description

MACsec state reflection on line protocol

Release 26.2.1

Introduced in this release on: Fixed Systems (8200 [ASIC: Q100, Q200, P100], 8700 [ASIC: P100, K100], 8010 [ASIC: A100]); Centralized Systems (8600 [ASIC:Q200]) ; Modular Systems (8800 [LC ASIC: Q100, Q200, P100])

MACsec State Reflection on line protocol synchronizes the interface line protocol state with the MACsec session state. When the session is not secured and the security policy is set to must-secure, the interface is brought Down to prevent traffic blackholing. When the session is secured, the interface is restored to Up. This enables faster failure detection and traffic rerouting by upper-layer protocols such as LACP and BGP.

Previously, MACsec session failures did not affect the interface's line protocol status, often resulting in silent traffic drops and delayed network convergence.

CLI:

enable fault-detection

Guidelines for MACsec state reflection on line protocol

These are the guidelines for configuring MACsec state reflection on line protocol:

  • Policy requirement: State reflection is triggered when a MACsec interface is configured with a must-secure policy.

  • Physical link state:

    • MKA (MACsec Key Agreement) session states do not affect the physical link (laser) state.

    • The physical link must remain Up to allow MKA packets to be exchanged for session recovery.

  • Default behavior: State reflection capability is disabled by default.

  • Bundle interfaces: If a MACsec-enabled physical port is a member of a bundle, a MACsec session failure will cause the line protocol to go down and the affected member to be removed from the bundle.

  • Fault detection: This feature enables link fault detection via MACsec session state, providing an alternative to LACP aggressive mode, BFD, or Link OAM protocols.

  • Protocol impact: Protocols that depend on line protocol state for packet transmission are impacted by this feature, even if configured under MACsec policy exception to bypass MACsec encryption.

Configure MACsec policy for state reflection on line protocol

Enable fault detection on network interfaces and enforce a MACsec must-secure policy to ensure robust link security.

Procedure

1.

Define MACsec policy and enable fault detection.

Example:

Router#configure
Router(config)#macsec-policy mp
Router(config-macsec-policy)#enable-fault-detecion
Router(config-macsec-policy)#commit
2.

Attach the MACsec policy and specify the PSK keychain, fallback keychain, and policy name.

Example:

Router(config)#interface HundredGigE0/1/0/0
Router(config-if)#macsec psk-keychain kc1 fallback-key-chain fb1 policy mp
Router(config-if)#commit
3.

Verify that the MACsec policy is configured and active.

Example:

Router#show run macsec-policy mp
macsec-policy mp
 enable-fault-detection
!

Ensure that enable-fault-detection and Security Policy: Must Secure appear in the output.
4.

Review MACsec MKA interface details.

Example:

 Router#show macsec policy detail
Policy Name                 : mp
      Cipher Suite          : GCM-AES-XPN-256
      Key-Server Priority   : 16
      Window Size           : 64
      Conf Offset           : 0
      Replay Protection     : TRUE
      Delay Protection      : FALSE
      Security Policy       : Must Secure
      Vlan Tags In Clear    : 1
      LACP In Clear         : FALSE
      LLDP In Clear         : FALSE
      PTP In Clear          : FALSE
      Pause Frame In Clear  : FALSE
      Sak Rekey Interval    : OFF
      Include ICV Indicator : FALSE
      Use Eapol PAE in ICV  : FALSE
      Disable Suspend On Request    : FALSE
      Disable Suspend For           : FALSE
      Enable legacy fallback        : FALSE
      SKS Profile                   : N/A
      Max AN                        : 3
      Impose Overhead on Bundle     : FALSE
      Enable Fault Detection        : TRUE
      Logging:
        Disable SAK Rekey           : FALSE
        SAK Rekey Summary Interval  : 0
5.

Review interface MACsec MKA details for the interface.

Example:

Router#show macsec mka interface HundredGigE0/1/0/0 detail
Number of interfaces on node node0_1_CPU0 : 1
----------------------------------------------------

Interface Name : HundredGigE0/1/0/0
    Interface Namestring     : HundredGigE0/1/0/0
    Interface short name     : Hu0/1/0/0
    Interface handle         : 0x800040
    Interface number         : 0x800040
    MacSecControlledIfh      : 0x8000e0
    MacSecUnControlledIfh    : 0x800100
    Interface MAC            : 0257.3fae.5cda
    Ethertype                : 888E
    EAPoL Destination Addr   : 0180.c200.0003
    MACsec Shutdown          : FALSE
    Config Received          : TRUE
    IM notify Complete       : TRUE
    MACsec Power Status      : Allocated
    Interface CAPS Add       : TRUE
    RxSA CAPS Add            : TRUE
    TxSA CAPS Add            : TRUE
    Principal Actor          : None
    MKA PSK Info               
      Key Chain Name         : kc1
      MKA Cipher Suite       : AES-256-CMAC
      CKN                    : 11 11 
    MKA fallback_PSK Info
      fallback keychain Name : fb1
      MKA Cipher Suite       : AES-256-CMAC
      CKN                    : 99 99 
    Policy                   : mp
    SKS Profile              : N/A
    Traffic Status           : Blocked
    EFD                     
      Enabled                : TRUE
      Status                 : Shutdown Success
Router#show macsec mka interface HundredGigE0/1/0/0 detail
Number of interfaces on node node0_1_CPU0 : 1
----------------------------------------------------

Interface Name : HundredGigE0/1/0/0
    Interface Namestring     : HundredGigE0/1/0/0
    Interface short name     : Hu0/1/0/0
    Interface handle         : 0x800040
    Interface number         : 0x800040
    MacSecControlledIfh      : 0x8000e0
    MacSecUnControlledIfh    : 0x800100
    Interface MAC            : 0257.3fae.5cda
    Ethertype                : 888E
    EAPoL Destination Addr   : 0180.c200.0003
    MACsec Shutdown          : FALSE
    Config Received          : TRUE
    IM notify Complete       : TRUE
    MACsec Power Status      : Allocated
    Interface CAPS Add       : TRUE
    RxSA CAPS Add            : TRUE
    TxSA CAPS Add            : TRUE
    Principal Actor          : None
    MKA PSK Info               
      Key Chain Name         : kc1
      MKA Cipher Suite       : AES-256-CMAC
      CKN                    : 11 11 
    MKA fallback_PSK Info
      fallback keychain Name : fb1
      MKA Cipher Suite       : AES-256-CMAC
      CKN                    : 99 99 
    Policy                   : mp
    SKS Profile              : N/A
    Traffic Status           : Blocked
    EFD                     
      Enabled                : TRUE
      Status                 : Bringup Success